Legitimate Uses and Obligations of a Data Fiduciary

Written By BareMinLaw

Section 7. Certain Legitimate Uses

  • A Data Fiduciary is permitted to process the personal data of a Data Principal.

  • Such processing can be carried out only for some specific purposes

  • Each of the following uses constitutes a valid ground for processing the personal data.

  • These purposes are as follows:

(a). Processing Based on Voluntary Provision of Personal Data for a Specified Purpose

  • The Data Principal voluntarily provides her personal data to the Data Fiduciary.

  • This personal data is given for a clearly specified purpose.

  • Then the Data Fiduciary processes the data only for that specified purpose.

  • Provided that the Data Principal has not expressed any refusal or objection to the use of her personal data for that purpose.

Illustration I

  • X is an individual who makes a purchase at Y, a pharmacy.

  • During the transaction, X voluntarily provides her personal data to Y.

  • X specifically requests Y to acknowledge receipt of the payment.

  • The acknowledgement is to be sent by Y through a message to X’s mobile phone.

  • For this purpose, Y is permitted to process X’s personal data.

  • The processing is limited to sending the payment receipt as requested by X.

Illustration II

  • X is an individual who contacts Y, a real estate broker, through an electronic message.

  • X requests Y to help her identify a suitable rented accommodation.

  • For this purpose, X shares her personal data with Y voluntarily.

  • Y is permitted to process X’s personal data to search for suitable accommodation.

  • Y may also use the personal data to inform X about the available rental options.

  • At a later stage, X informs Y that she no longer requires Y’s assistance.

  • Once X withdraws her request, Y must stop processing X’s personal data.

  • Y is required to cease all further use of X’s personal data for this purpose.

(b). Processing of Personal Data by the State for Subsidies, Benefits, and Public Services

  • Personal data may be processed by the State or its instrumentalities.

  • This is done for providing or issuing prescribed subsidies, benefits, services, certificates, licences, or permits.

  • This is permitted where either of the following conditions is satisfied:

(i). Prior Consent Given to the State

  • The Data Principal has previously consented to the processing of her personal data.

  • Such consent relates to a subsidy, benefit, service, certificate, licence, or permit.

(ii). Data Available in Government Records

  • The personal data is already available with the State or its instrumentalities.

  • The data may be in digital form or originally in non-digital form but digitised later.

  • The data must come from a database, register, book, or document maintained by the State or its instrumentalities.

  • Such database or record must be notified by the Central Government.

  • In all cases, processing must comply with:

    1. Standards laid down in policies issued by the Central Government.

    2. Any law in force governing personal data.

Illustration

  • X is a pregnant woman.

  • X enrolls herself on an app or website to avail the government’s maternity benefits programme.

  • At the time of enrolment, X gives her consent to provide her personal data.

  • The consent is given specifically for the purpose of availing maternity benefits.

  • The Government is permitted to process X’s personal data to assess her eligibility for the maternity benefits programme.

  • The Government may also process her personal data to determine whether she is eligible to receive other benefits from the Government.

(c). Processing of Personal Data for Performance of State Functions and National Interests

  • Personal data may be processed by the State or any of its instrumentalities.

  • Such processing is permitted where it is necessary for the performance of any function of the State.

  • The function must be one and of such nature that is carried out under a law that is currently in force in India.

  • In addition to statutory functions, processing is also permitted where it is required in:

    1. The interest of the sovereignty of India.

    2. The interest of the integrity of India.

    3. Necessary for the security of the State.

  • In such cases, personal data may be processed without the Data Principal’s consent, as it is overriden by public or national interests.

(d). Processing of Personal Data for Compliance with Legal Disclosure Obligations

  • Personal data may be processed for the purpose of fulfilling a legal obligation.

  • Such obligation must arise under a law that is currently in force in India.

    1. The obligation must require a person to disclose certain information.

    2. The disclosure must be made to the State or to any of its instrumentalities.

  • Processing of personal data is permitted only to the extent necessary to comply with such legal obligation.

    1. Such processing must strictly follow the provisions governing disclosure under the relevant law.

    2. The processing must also be in accordance with any other law in force that regulates how such information is to be disclosed.

(e). Processing of Personal Data for Compliance with Judicial and Legal Orders

  • Personal data may be processed for the purpose of complying with a legal mandate.

    1. Such mandate may arise from a judgment, decree, or order.

    2. The judgment, decree, or order must be issued under a law that is in force in India.

    3. Processing is also permitted for compliance with a judgment or order passed outside India.

  • In the case of foreign judgments or orders, the processing must relate to claims of a contractual or civil nature.

    1. The foreign judgment or order must be issued under a law that is in force in the relevant foreign jurisdiction.

    2. Processing of personal data is limited to what is necessary to give effect to such judgment, decree, or order.

(f). Processing of Personal Data in Medical Emergencies

  • Personal data may be processed in situations involving a medical emergency.

    1. The emergency must pose a threat to the life of the Data Principal.

    2. Processing is also permitted where there is an immediate threat to the health of the Data Principal.

    3. Personal data may further be processed where the emergency involves a threat to the life or immediate health of any other individual.

  • In such emergency situations, processing is permitted without waiting for consent.

  • The processing must be limited to what is necessary to respond to the medical emergency.

(g). Processing of Personal Data for Public Health Emergencies

  • Personal data may be processed to provide medical treatment or health services.

    1. Such processing may relate to any individual, not only the Data Principal.

    2. The processing must be necessary to deal with a public health situation.

    3. This includes situations such as an epidemic and an outbreak of disease.

  • Processing is further permitted for addressing any other threat to public health.

  • In these circumstances, personal data may be processed without obtaining individual consent.

  • The processing must be limited to what is necessary for managing the public health emergency.

(h). Processing of Personal Data During Disasters and Breakdown of Public Order

  • Personal data may be processed for the purpose of assisting or protecting any individual.

    1. Such processing is permitted during a disaster.

    2. Processing is also permitted during any breakdown of public order.

    3. The purpose of the processing must be to respond to the situation and safeguard individuals affected by it.

  • In these circumstances, processing of personal data may take place without obtaining consent.

Explanation:

  • For the purposes of 7(h):

  • The term “disaster” used in this clause has the same meaning as assigned to it under Section 2(d) of the Disaster Management Act, 2005.

  • The Processing of data must remain limited to what is necessary to deal with the disaster or the breakdown of public order.

(i). Processing of Personal Data for Employment-Related Purposes

  • Personal data may be processed for purposes connected with employment.

  • Such processing may be undertaken to safeguard the employer from loss or legal liability.

    1. This includes processing personal data to prevent corporate espionage.

    2. It also includes measures for maintaining the confidentiality of trade secrets.

    3. Processing may be carried out to protect intellectual property.

    4. It may further cover the protection of classified or sensitive information.

  • Personal data may also be processed for providing any service or benefit.

  • Such service or benefit must be one that is sought by the Data Principal in her capacity as an employee.

    1. In these situations, processing is permitted even without separate consent.

    2. This is done as it is linked to employment obligations and employer protection.

Section 8. General Obligations of a Data Fiduciary

8(1).

  • A Data Fiduciary has the primary responsibility to comply with this Act and the rules made under it.

  • This responsibility exists regardless of any agreement or contract to the contrary.

    1. Even if a Data Principal fails to perform her duties under the Act, the responsibility of the Data Fiduciary does not reduce or shift.

    2. The Data Fiduciary remains responsible for all processing of personal data undertaken by it.

    3. The Data Fiduciary is also responsible for any processing carried out on its behalf by a Data Processor.

  • Outsourcing processing does not absolve the Data Fiduciary of its legal obligations.

Example:

  • X is an e-commerce company and is a Data Fiduciary.

  • X appoints Y, a third-party cloud service provider, as a Data Processor to store and process customer personal data.

  • X and Y enter into a contract stating that Y will be responsible for data protection compliance.

  • A customer (the Data Principal) fails to update or correctly manage her account details.

    1. Even if a contract shifts responsibility to Y, X remains responsible under the Act.

    2. Even if the Data Principal does not fully perform her duties, X is still liable.

    3. In case of any non-compliance, X cannot blame Y or the Data Principal.

    4. X is legally accountable for all personal data processing done by Y on its behalf.

8(2).

  • A Data Fiduciary is permitted to involve another entity to process personal data on its behalf.

    1. This involvement may take different forms, such as engaging, appointing, or using a Data Processor.

    2. The Data Processor may process personal data only on behalf of the Data Fiduciary.

    3. Such processing must be connected to an activity related to offering goods or services to Data Principals.

  • The Data Fiduciary can involve a Data Processor only if there is a valid contract in place.

  • Without a valid contract, a Data Processor cannot lawfully process personal data on behalf of the Data Fiduciary.

8(3).

  • Personal data may be processed in situations where it is likely to be:

    1. (a). Used to make a decision that affects the Data Principal.

    2. (b). Disclosed to another Data Fiduciary.

  • In either of these situations, the Data Fiduciary must take special care with the data.

  • The Data Fiduciary must ensure that the personal data is complete , accurate and consistent.

8(4).

  • The Data Fiduciary is required to put safeguards in place.

  • These safeguards must include appropriate technical measures.

  • The Data Fiduciary must also implement suitable organisational measures.

  • The purpose of these measures is to ensure effective compliance with the provisions and the rules of this Act.

  • The objective of this is to make sure that the data protection framework is effectively followed in practice.

8(5).

  • Personal data that is in the possession and control of the Data Fiduciary must be protected.

    1. This obligation applies to all processing carried out directly by the Data Fiduciary.

    2. It also applies to any processing carried out on behalf of the Data Fiduciary by a Data Processor.

  • The Data Fiduciary must take reasonable security safeguards.

    1. These safeguards must be aimed at preventing personal data breaches.

    2. The responsibility for data security remains with the Data Fiduciary even when processing is outsourced.

8(6).

  • A situation may arise where a personal data breach occurs.

    1. When such a breach happens, the Data Fiduciary has a duty to act.

    2. The Data Fiduciary must inform the Board about the personal data breach.

    3. The Data Fiduciary must also inform every Data Principal who is affected by the breach.

    4. The intimation must be given in the form prescribed under the law.

    5. The intimation must also follow the manner prescribed under the law.

8(7).

  • Personal data must not be retained indefinitely.

  • Retention may continue only where it is necessary to comply with a law currently in force.

  • In all other cases, the Data Fiduciary has a duty to erase personal data.

  • (a).

    1. Personal data must be erased if the Data Principal withdraws her consent.

    2. Personal data must also be erased once it is reasonable to assume that the specified purpose is no longer being fulfilled.

    3. When one of these incidents occurs first , it triggers the obligation to erase the personal data.

  • (b).

    1. The Data Fiduciary has a duty to ensure compliance by the Data Processor.

    2. Any personal data shared with a Data Processor must be erased once erasure is required.

    3. The responsibility for such erasure rests with the Data Fiduciary, even though the data is held by the Data Processor.

Illustration I

  • X, an individual, registers on an online marketplace operated by Y, an e-commerce service provider.

  • X gives her consent to Y to process her personal data for the purpose of selling her used car.

  • The online marketplace facilitates and completes the sale of the car.

  • Once the sale is concluded, the specified purpose is fulfilled.

  • Therefore, Y must not retain X’s personal data any longer.

Illustration II

  • X, an individual, decides to close her savings account with Y, a bank.

  • Under banking laws, Y is required to retain client identity records even after an account is closed.

  • The law mandates that such records be kept for ten years after the closure of the account.

  • Because this retention is necessary for legal compliance, Y is permitted to retain X’s personal data for that ten-year period.

8(8).

  • The specified purpose mentioned earlier may under Section 7(a) may over time, be treated as having come to an end.

  • Section 7(a) deals with processing of data by voluntary consent for a specific purpose.

  • The purpose is deemed to no longer be served when the Data Principal remains inactive for a prescribed period.

  • Such inactivity is assessed based on two conditions:

    1. (a). The Data Principal does not approach the Data Fiduciary for the performance of the specified purpose; and

    2. (b). The Data Principal does not exercise any of her rights in relation to such processing.

  • The period of inactivity must be one that is prescribed under the law.

    1. Different time periods may be prescribed for different classes of Data Fiduciaries.

    2. Different time periods may also be prescribed depending on the nature of the specified purpose.

  • Once this prescribed period lapses, the purpose is treated as no longer being served.

8(9).

  • Business contact information must be made publicly available.

  • The publication must be done in the manner prescribed under the law.

  • Where a Data Protection Officer is required to be appointed:

    1. The published contact details must be those of the Data Protection Officer.

  • If a Data Protection Officer is not applicable, then:

    1. The Data Fiduciary must publish the contact details of another person.

    2. That person must be authorised to respond on behalf of the Data Fiduciary.

    3. The role of this person is to answer questions raised by the Data Principal.

    4. Such questions must relate to the processing of the Data Principal’s personal data.

  • The objective of is the Data Principal should have a clear point of contact for queries regarding her personal data.

8(10).

  • A mechanism for handling complaints must be put in place.

  • The mechanism must be effective in nature and must be established by the Data Fiduciary.

  • The purpose of the mechanism is to redress grievances.

  • Such grievances may be raised by Data Principals.

  • The grievances must relate to the processing of personal data.

  • The objective of is the Data Principal should have an appropriate mechanism in place to seek resolution of their concerns.

8(11).

  • For the purposes of this Section:

  • A Data Principal will be treated as not having approached the Data Fiduciary for performance of the specified purpose in certain situations.

  • This treatment applies during any period in which the Data Principal remains inactive.

    1. Inactivity means that the Data Principal has not initiated contact with the Data Fiduciary.

    2. The contact must relate to the performance of the specified purpose.

    3. The absence of contact may be in person.

    4. It may also be by communication in electronic form.

    5. It may further be by communication in physical (offline) form.

  • If none of these forms of contact are initiated during the relevant period, then:

    1. The Data Principal is deemed not to have approached the Data Fiduciary.

BareMinLaw https://bareminlaw.com
Previous

Obligations of Data Fiduciary
Next

Processing of Personal Data of Children